W32/Rbot-ACO

Please follow the instructions for removing worms.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Close the registry editor.

To renable DCOM you can edit the registry, but it's better to use Dcomcnfg.exe. See Microsoft article 825750 for details.

W32/Rbot-ACO is a network worm with backdoor functionality for the Windows platform.

W32/Rbot-ACO spreads to other network computers by exploiting common vulnerabilities and by copying itself to network shares protected by weak passwords.

W32/Rbot-ACO connects to an IRC channel and listens for backdoor commands from a remote attacker.

When first run the worm copies itself to the Windows system folder as R00T.EXE.

The following registry entries are created to run r00t.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
update
r00t.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
update
r00t.exe

Registry entries are also set as follows:

HKCU\Software\Microsoft\OLE
update
r00t.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

The following patches for operating system vulnerabilities exploited by W32/Rbot-ACO can be obtained from the Microsoft website:

MS03-049
MS04-011
MS04-012